US8750507B2ActiveUtilityA1

Dynamic group creation for managed key servers

88
Assignee: ROOSTA TANYAPriority: Jan 25, 2010Filed: Jan 25, 2010Granted: Jun 10, 2014
Est. expiryJan 25, 2030(~3.6 yrs left)· nominal 20-yr term from priority
H04L 9/0833H04L 63/065H04L 63/104
88
PatentIndex Score
32
Cited by
11
References
20
Claims

Abstract

A technique for dynamically creating and deleting groups to support secure group communication sessions is provided herein. A request for creation of a dynamic group that enables group members to participate in a secure group communication session is received by a network authentication device such as a key server. Creation of the dynamic group includes generating a lifetime attribute indicating when the dynamic group is to exist based on timing information provided in the request, along with security policies required for generating the keys, and generating a unique group ID associated with the dynamic group for distribution to the group members. The keys for the secure group communication session are supplied, along with security policies, in response to a request containing the unique group ID identifying the dynamic group. The dynamic group is deleted in response to determining from the lifetime attribute that the secure group communication session has expired.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method performed at a key server comprising:
 receiving a request for creation of a dynamic group that enables group members to participate in a secure group communication session, wherein the request includes timing information indicating when the dynamic group is to exist; 
 creating the dynamic group, including:
 generating a lifetime attribute of the dynamic group based on the received timing information, wherein the lifetime attribute indicates the time period of when the dynamic group is to exist, and 
 generating a unique group identifier (ID) associated with the dynamic group for distribution to the group members; 
 
 supplying keys for the secure group communication session in response to one or more requests containing the unique group ID identifying the dynamic group for use by the group members to encrypt and decrypt traffic that is sent during the secure group communication session; and 
 deleting the dynamic group in response to determining from the lifetime attribute that the secure group communication session has expired. 
 
     
     
       2. The method of  claim 1 , wherein supplying the keys includes supplying the keys to at least one group member configured to run an on-demand application to implement the secure group communication session. 
     
     
       3. The method of  claim 1 , wherein supplying the keys includes supplying the keys to a pseudo group member configured to run an on-demand application to implement the secure group communication session among the group members. 
     
     
       4. The method of  claim 1 , further comprising:
 receiving an extension request to extend a period of the secure group communication session; and 
 adjusting the lifetime attribute of the dynamic group in accordance with the extension request to modify an expiration time of the secure group communication session. 
 
     
     
       5. The method of  claim 1 , further comprising:
 generating a delete notification for distribution to the group members in response to deleting the dynamic group. 
 
     
     
       6. The method of  claim 1 , wherein a group keying protocol is used to supply the keys. 
     
     
       7. The method of  claim 1 , wherein the lifetime attribute of the dynamic group specifies a start time and either a duration or an expiration time associated with the secure group communication session. 
     
     
       8. The method of  claim 1 , further comprising:
 rekeying the dynamic group by generating new keys for distribution to the group members during the secure group communication session. 
 
     
     
       9. An apparatus comprising:
 a network interface unit configured to communicate messages over a network; 
 a processor configured to be coupled to the network interface unit, wherein the processor is configured to:
 receive a request for creation of a dynamic group that enables group members to participate in a secure group communication session, wherein the request includes timing information indicating when the dynamic group is to exist; 
 create the dynamic group, including:
 generate a lifetime attribute of the dynamic group indicating the time period of when the dynamic group is to exist, and 
 generate a unique group identifier (ID) associated with the dynamic group for distribution to the group members; 
 
 supply keys for the secure group communication session in response to one or more requests containing the unique group ID identifying the dynamic group for use by the group members to encrypt and decrypt traffic that is sent during the secure group communication session; and 
 delete the dynamic group in response to determining from the lifetime attribute that the secure group communication session has expired. 
 
 
     
     
       10. The apparatus of  claim 9 , wherein the processor is configured to supply the keys to at least one group member configured to run an on-demand application to implement the secure group communication session. 
     
     
       11. The apparatus of  claim 9 , wherein the processor is configured to supply the keys to a pseudo group member configured to run an on-demand application to implement the secure group communication session among the group members. 
     
     
       12. The apparatus of  claim 9 , wherein the processor is further configured to:
 receive an extension request to extend a period of the secure group communication session; and 
 adjust the lifetime attribute of the dynamic group in accordance with the extension request to modify an expiration time of the secure group communication session. 
 
     
     
       13. The apparatus of  claim 9 , wherein the processor is further configured to:
 generate a delete notification for distribution to the group members in response to deleting the dynamic group. 
 
     
     
       14. The apparatus of  claim 9 , wherein the processor is configured to supply the keys using a group keying protocol. 
     
     
       15. A non-transitory processor readable medium storing instructions that, when executed by a processor at a key server, cause the processor to:
 receive a request for creation of a dynamic group that enables group members to participate in a secure group communication session, wherein the request includes timing information indicating when the dynamic group is to exist; 
 create the dynamic group, including:
 generate a lifetime attribute of the dynamic group indicating the time period of when the dynamic group is to exist, and 
 generate a unique group identifier (ID) associated with the dynamic group for distribution to the group members; 
 
 supply keys for the secure group communication session in response to one or more requests containing the unique group ID identifying the dynamic group for use by the group members to encrypt and decrypt traffic that is sent during the secure group communication session; and 
 delete the dynamic group in response to determining from the lifetime attribute that the secure group communication session has expired. 
 
     
     
       16. The non-transitory processor readable medium of  claim 15 , wherein the instructions that cause the processor to supply the keys comprise instructions that cause the processor to supply the keys to at least one group member configured to run an on-demand application to implement the secure group communication session. 
     
     
       17. The non-transitory processor readable medium of  claim 15 , wherein the instructions that cause the processor to supply the keys comprise instructions that cause the processor to supply the keys to a pseudo group member configured to run an on-demand application to implement the secure group communication session among the group members. 
     
     
       18. The non-transitory processor readable medium of  claim 15 , further storing instructions that, when executed by the processor, further cause the processor to:
 receive an extension request to extend a period of the secure group communication session; and 
 adjust the lifetime attribute of the dynamic group in accordance with the extension request to modify an expiration time of the secure group communication session. 
 
     
     
       19. The non-transitory processor readable medium of  claim 15 , further storing instructions that, when executed by the processor, further cause the processor to:
 generate a delete notification for distribution to the group members in response to deleting the dynamic group. 
 
     
     
       20. The non-transitory processor readable medium of  claim 15 , wherein the instructions that cause the processor to supply the keys comprise instructions that cause the processor to supply the keys using a group keying protocol.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.